Restrict access to website hosted on S3
I would like to host a static website at amazon S3, but I need to restrict access to it to certain users. This maybe by ip address or by amazon credentials (only logged in u
-
Edit: User/group based restrictions do not work for static websites hosted in S3 since AWS is not registering your AWS Management Console (path: amazon.com) credentials/cookies for S3 (path: amazonaws.com) and not checking for them either.
Workaround: www.s3auth.com - Basic Auth for S3 buckets might do the trick for you but involves a third party. Another solution may be Query String Request Authentication, using an EC2 instance or the Elastic Beanstalk Java SE Static Files Option. We are currently exploring securing our buckets with an Amazon API Gateway as Amazon S3 Proxy.
Sidenote: There are some additional things to look out for, which are often not directly pointed out.
It is currently not possible in bucket policies to grant or restrict group access, only specific users. Since you also generally don't want to update each bucket policy for each change in your user structure and bucket policies might (unintentionally) interfere with your user policies you may not want to use bucket policies.
The user/group based policies only work with the
s3:GetBucketLocationands3:ListAllMyBucketsattached toarn:aws:s3:::*or*(unfortunately no filtering possible here, all bucket names will be visible for users/groups with this policy).IAM Policy Example: (not a S3 Bucket Policy and not working for Static Website Hosting)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::*" ] }, { "Effect": "Allow", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::YOURBUCKETNAME", "arn:aws:s3:::YOURBUCKETNAME/*" ] } ] }
More detailed blog post: "How to Restrict Amazon S3 Bucket Access to a Specific IAM Role"
加载中...
- 热议问题